CVE-2021-31602

🗓️ 08 Nov 2021 03:30:32Reported by mitreType

cve🔗 web.nvd.nist.gov📰️ 4 Media mentions👁 128 Views🌐 WEB

Issue in Hitachi Vantara Pentaho & Business Intelligence Server allows unauthenticated user to extract informatio

Reporter	Title	Published	Views	Family All 14
0day.today	Pentaho Business Analytics / Pentaho Business Server 9.1 Authentication Bypass Vulnerability	7 Nov 202100:00	–	zdt
0day.today	Pentaho Business Analytics / Pentaho Business Server 9.1 SQL Injection Vulnerability	7 Nov 202100:00	–	zdt
Circl	CVE-2021-31602	8 Nov 202107:28	–	circl
CNNVD	Hitachi Vantara Pentaho 授权问题漏洞	5 Nov 202100:00	–	cnnvd
Cvelist	CVE-2021-31602	8 Nov 202103:30	–	cvelist
Nuclei	Hitachi Vantara Pentaho/Business Intelligence Server - Authentication Bypass	28 Jun 202615:08	–	nuclei
NVD	CVE-2021-31602	8 Nov 202104:15	–	nvd
OSV	CVE-2021-31602	8 Nov 202104:15	–	osv
Packet Storm	Pentaho Business Analytics / Pentaho Business Server 9.1 Authentication Bypass	5 Nov 202100:00	–	packetstorm
Packet Storm	Pentaho Business Analytics / Pentaho Business Server 9.1 SQL Injection	5 Nov 202100:00	–	packetstorm

NVD

Node

Source	Link
hitachi	www.hitachi.com/hirt/security/index.html
packetstormsecurity	www.packetstormsecurity.com/files/164784/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Authentication-Bypass.html

Parameter	Position	Path	Description	CWE
command	query param	/pentaho/api/repos/dashboards/editor?command=executeQuery&datasource=pentaho_operations_mart&query=*&require-cfg.js	Unauthenticated user can trigger SQL queries via the dashboards editor endpoint, enabling arbitrary SQL execution against Pentaho datasources	CWE-287
datasource	query param	/pentaho/api/repos/dashboards/editor?command=executeQuery&datasource=pentaho_operations_mart&query=*&require-cfg.js	Unauthenticated user can trigger SQL queries via the dashboards editor endpoint, enabling arbitrary SQL execution against Pentaho datasources	CWE-287
query	query param	/pentaho/api/repos/dashboards/editor?command=executeQuery&datasource=pentaho_operations_mart&query=*&require-cfg.js	Unauthenticated user can trigger SQL queries via the dashboards editor endpoint, enabling arbitrary SQL execution against Pentaho datasources	CWE-287
require-cfg.js	query param	/pentaho/api/repos/dashboards/editor?command=executeQuery&datasource=pentaho_operations_mart&query=*&require-cfg.js	Unauthenticated user can trigger SQL queries via the dashboards editor endpoint, enabling arbitrary SQL execution against Pentaho datasources	CWE-287

17 Jun 2026 03:52Current

7.5High risk

Vulners AI Score7.5

CVSS 25

CVSS 3.15.3 - 7.5

EPSS0.51653